On 1/1/17, 1:15 AM, "omup...@gmail.com on behalf of OmPrakash Muppirala" <omup...@gmail.com on behalf of bigosma...@gmail.com> wrote:
> >Hmm, to play the devil's advocate, security should not be pay-as-you-go. >This should be opt-in by default. Someone will have to go the extra mile >to turn it off. > >This is the sort of thing that will go out in the wild and folks will get >affected by it soon enough. We will then need to push out an emergency >release to fix an XSS attack made possible by FlexJS. > >Either that or we call the default implementation 'InsecureHTMLText' or >something like that. Well, the article you posted specifically mentions "sanitizing any HTML code submitted by a user." IMO, that is different from HTML code entered by a developer or sucked in from a database. There are other opportunities to sanitize that non-user HTML that won't have runtime performance issues. Also, the article mentions there being more than one way to sanitize, so we should let folks choose what to use and when to use it. Or am I missing something? -Alex
